1. Don’t reuse passwords

In 2007, Dinei Florencio and Cormac Herley at Microsoft Research looked into the password habits of half a million users in their large-scale study of website password habits. They found that the average user needed about 25 distinct passwords but only had about six.

The average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords

That’s a problem because it rewards anyone who steals one of your passwords with the key to a number of other sites as well, making the damage far worse.

Website hosting giant WordPress searched its own user database for the stolen credentials and found 700,000 matching email addresses and 100,000 matching email and password combinations.

In other words, for each email account the crooks compromised they also had a 1 in 14 chance of successfully compromising a WordPress account too, something well worth the effort of just rattling the keys in the lock.

If your password is stolen in a data breach then you should expect that the crooks will try it out on Facebook, Twitter, WordPress and any other websites they think you might be using too.

2. Don’t use weak passwords

There is no such thing as “the best practice of password choosing”, there are bad practices, bad choices, and the only thing we can do is to avoid them.

It’s an interesting way to think about how we choose our passwords.

I’ve noticed that guidelines for creating strong passwords, such as “use a long, random collection of numbers, upper- and lower-case letters and wacky characters,” are often turned into arbitrary rules that make passwords easier to guess, like “your password MUST be between eight and twelve characters long and contain at least one uppercase character and one number!”.

So instead of thinking about what makes a password strong, think about avoiding these common pitfalls: don’t pick one of the 10,000 most common passwords; don’t use personal information, an animal, sports team, business name, nickname, quotation, family member, phrase, collections of related words or pet names; avoid dictionary words; and don’t expect to fool anyone by using common missspelllings, $ubst1tuti0ns or by adding numbers53 on the end.

from2015 via Getty Images

3. Don’t share your passwords

Are you good at keeping secrets? Good, because that’s what a password is – a secret. And if you share a password, it’s not a declaration of true love and it’s not a secret any more either.

The trouble is that many of us just don’t think of passwords like that. A recent survey by the purveyors of password management software, LastPass, found that 95% of us share up to six of our passwords with each other.

And it’s not just a bad habit of end users, it’s a bad habit practised by IT professionals who should know better too, as the RSA 2016 conference survey revealed:

…one in three IT security professionals polled at RSA Conference 2016 admit that their IT staff share passwords. It’s a common IT administration practice.

If you share a password, you lose control of it because you don’t know who else the person you shared your password with shared it with, who they emailed it to or where they wrote it down.

4. Don’t trust password strength meters

Password strength meters have become a common adornment for websites and apps that require you to choose a password. Unfortunately, many of them flatter to deceive with vague wording, fancy graphics and arbitrary rules that look important but might actually make your password weaker.

There are some excellent password strength meters out there, such as the rigorously tested zxcvbn that’s used by Dropbox and WordPress, so some passwords strength meters are trustworthy. Unfortunately, you can’t tell them from the ones that aren’t.

JGI/Daniel Grill via Getty Images

5. Don’t change passwords to a pattern or schedule

The sage advice used to be to update your passwords every thirty days or every few months to limit the damage that a compromised password can do.

It’s advice that’s been taken up by IT departments and individuals alike but it’s advice that’s aged badly as the number of passwords we have to keep has grown. In the modern world it translates to “you must create and remember about 25 completely new and unrelated random passwords every month”.

Advice that’s good in theory pushes us into taking shortcuts that make cracking our passwords easier; if we’re forced to change our passwords all the time we end up picking shorter passwords, simpler passwords, more memorable passwords, we change them according to guessable patterns and algorithms, and we reuse them.

If you can create and remember a full set of new, strong passwords every month that’s great, but don’t force anyone else to do it because the chances are they can’t.

Seven More Secure Alternatives To Passwords

Seven More Secure Alternatives To Passwords

1

of

7

Tattoos

At All Things Digital's D11 conference in May, Motorola's Regina Dugan introduced several possible password alternatives -- one wearable.
Dugan displayed a temporary tattoo containing "antennas and sensors" that would transmit a unique signal that could then be picked up as part of a passcode on a digital device.
Like any temporary tattoo, it could be peeled off at any time and would last only up to a week.